vps-set-up-playbook/roles/ufw/tasks/main.yml

- name: Install UFW
  apt:
    name:
      - ufw
    state: latest
    install_recommends: false

# ----------------------------------------------------------------------------------------------------

- name: UFW allow {{ wireguard_port }} UDP for Wireguard
  community.general.ufw:
    rule: allow
    src: 0.0.0.0/0
    dest: any
    proto: udp
    port: {{ wireguard_port }}

# ----------------------------------------------------------------------------------------------------

- name: UFW allow {{ ssh_port }} TCP
  community.general.ufw:
    rule: allow
    src: {{ wireguard_mesh_subnet }}/16
    dest: any
    proto: tcp
    port: {{ ssh_port }}

# ----------------------------------------------------------------------------------------------------

- name: UFW allow 8870 from {{ oracle_ipv4_cidr_block }}/16 TCP for Socks Proxy
  community.general.ufw:
    rule: allow
    src: {{ oracle_ipv4_cidr_block }}/16
    dest: any
    proto: tcp
    port: 8870
  when:
    - inventory_hostname in groups["oracle"]

- name: UFW allow 8870 from {{ wireguard_mesh_subnet }}/16 TCP for Socks Proxy
  community.general.ufw:
    rule: allow
    src: {{ wireguard_mesh_subnet }}/16
    dest: any
    proto: tcp
    port: 8870

- name: UFW allow NFS TCP
  community.general.ufw:
    rule: allow
    src: {{ wireguard_mesh_subnet }}/16
    dest: any
    proto: tcp
    port: 2049

# ----------------------------------------------------------------------------------------------------

- name: UFW allow 80 TCP
  community.general.ufw:
    rule: allow
    src: any
    dest: any
    proto: tcp
    port: 80
  when: inventory_hostname == 'oracle4'

- name: UFW allow 443 TCP
  community.general.ufw:
    rule: allow
    src: any
    dest: any
    proto: tcp
    port: 443
  when: inventory_hostname == 'oracle4'

- name: UFW allow 443 UDP
  community.general.ufw:
    rule: allow
    src: any
    dest: any
    proto: udp
    port: 443
  when: inventory_hostname == 'oracle4'

# ----------------------------------------------------------------------------------------------------

- name: UFW default deny routed
  community.general.ufw:
    default: deny
    direction: routed

- name: UFW default deny incoming
  community.general.ufw:
    default: deny
    direction: incoming

- name: UFW default allow outgoing
  community.general.ufw:
    default: allow
    direction: outgoing

# ----------------------------------------------------------------------------------------------------

- name: UFW enable
  community.general.ufw:
    state: enabled
Inital commit 2023-11-11 02:06:42 +08:00			`- name: Install UFW`
			`apt:`
			`name:`
			`- ufw`
			`state: latest`
			`install_recommends: false`

			`# ----------------------------------------------------------------------------------------------------`

			`- name: UFW allow {{ wireguard_port }} UDP for Wireguard`
			`community.general.ufw:`
			`rule: allow`
			`src: 0.0.0.0/0`
			`dest: any`
			`proto: udp`
			`port: {{ wireguard_port }}`

			`# ----------------------------------------------------------------------------------------------------`

			`- name: UFW allow {{ ssh_port }} TCP`
			`community.general.ufw:`
			`rule: allow`
			`src: {{ wireguard_mesh_subnet }}/16`
			`dest: any`
			`proto: tcp`
			`port: {{ ssh_port }}`

			`# ----------------------------------------------------------------------------------------------------`

			`- name: UFW allow 8870 from {{ oracle_ipv4_cidr_block }}/16 TCP for Socks Proxy`
			`community.general.ufw:`
			`rule: allow`
			`src: {{ oracle_ipv4_cidr_block }}/16`
			`dest: any`
			`proto: tcp`
			`port: 8870`
			`when:`
			`- inventory_hostname in groups["oracle"]`

			`- name: UFW allow 8870 from {{ wireguard_mesh_subnet }}/16 TCP for Socks Proxy`
			`community.general.ufw:`
			`rule: allow`
			`src: {{ wireguard_mesh_subnet }}/16`
			`dest: any`
			`proto: tcp`
			`port: 8870`

			`- name: UFW allow NFS TCP`
			`community.general.ufw:`
			`rule: allow`
			`src: {{ wireguard_mesh_subnet }}/16`
			`dest: any`
			`proto: tcp`
			`port: 2049`

			`# ----------------------------------------------------------------------------------------------------`

			`- name: UFW allow 80 TCP`
			`community.general.ufw:`
			`rule: allow`
			`src: any`
			`dest: any`
			`proto: tcp`
			`port: 80`
			`when: inventory_hostname == 'oracle4'`

			`- name: UFW allow 443 TCP`
			`community.general.ufw:`
			`rule: allow`
			`src: any`
			`dest: any`
			`proto: tcp`
			`port: 443`
			`when: inventory_hostname == 'oracle4'`

			`- name: UFW allow 443 UDP`
			`community.general.ufw:`
			`rule: allow`
			`src: any`
			`dest: any`
			`proto: udp`
			`port: 443`
			`when: inventory_hostname == 'oracle4'`

			`# ----------------------------------------------------------------------------------------------------`

			`- name: UFW default deny routed`
			`community.general.ufw:`
			`default: deny`
			`direction: routed`

			`- name: UFW default deny incoming`
			`community.general.ufw:`
			`default: deny`
			`direction: incoming`

			`- name: UFW default allow outgoing`
			`community.general.ufw:`
			`default: allow`
			`direction: outgoing`

			`# ----------------------------------------------------------------------------------------------------`

			`- name: UFW enable`
			`community.general.ufw:`
			`state: enabled`